Sony BMG Copy Protection
'Sony BMG Copy Protection '''was the copy protection for Sony BMG Musics. It followed major scandals for implementation of deceptive, illegal, and harmful copy protection measures on about 23 million CDs. Payload When inserted into a computer, the CDs installed one of two pieces of software which provided a form of DRM by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. Sony claims this was unintentional. One of the programs installed, even if the user refused its EULA, would still "phone home" with reports on the user's private listening habits; the other was not mentioned in the EULA at all, contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits. Sony BMG initially denied that the rootkits were harmful. It then released, for one of the programs, an "uninstaller" that only un-hid the program, installed additional software which could not be easily removed, collected an email address from the user, and introduced further security vulnerabilities. Following public outcry, government investigations, and class-action lawsuits in 2005 and 2006, Sony BMG partially addressed the scandal with consumer settlements, a recall of about 10% of the affected CDs, and the suspension of CD copy protection efforts in early 2007. Background In August 2000, statements by Sony US senior VP Steve Heckler foreshadowed the events of late 2005. Heckler told attendees at the Americas Conference on Information Systems "The industry will take whatever steps it needs to protect itself and protect its revenue streams... It will not lose that revenue stream, no matter what... Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall Napster at source – we will block it at your cable company. We will block it at your phone company. We will block it at your ISP. We will firewall it at your PC... These strategies are being aggressively pursued because there is simply too much at stake." In Europe, BMG created a minor scandal in 2001 when it released Natalie Imbruglia's second album, ''White Lilies Island without warning labels stating that the CD had copy protection. The CDs were eventually replaced. BMG and Sony both released copy-protected versions of certain releases in certain markets in late 2001, and a late 2002 report indicated that all BMG CDs sold in Europe would have some form of copy protection. Copy-protection software The two pieces of copy-protection software at issue in the 2005–2007 scandal were included on over 22 million CDs marketed by Sony BMG, the record company formed by the 2004 merger of Sony and BMG's recorded music divisions. About two million of those CDs, spanning 52 titles, contained First 4 Internet (F4I)'s Extended Copy Protection (XCP), which was installed on Microsoft Windows systems after the user accepted the EULA which made no mention of the software. The remaining 20 million CDs, spanning 50 titles, contained SunnComm's MediaMax CD-3, which was installed on either Microsoft Windows or Mac OS X systems after the user was presented with the EULA, regardless of whether the user accepted it (although Mac OS X prompted the user for confirmation when the software sought to modify the OS). The scandal erupted on October 31, 2005, when Winternals (later acquired by Microsoft) researcher Mark Russinovich posted to his blog a detailed description and technical analysis of F4I's XCP software that he ascertained had been recently installed on his computer by a Sony BMG music CD. Russinovich compared the software to a rootkit due to its surreptitious installation and its efforts to hide its existence. He noted that the EULA does not mention the software, and he asserted emphatically that the software is illegitimate and that digital rights management had "gone too far". Anti-virus firm F-Secure concurred: "Although the software isn't directly malicious, the used rootkit hiding techniques are exactly the same used by malicious software to hide themselves. The DRM software will cause many similar false alarms with all AV software that detect rootkits. ... Thus it is very inappropriate for commercial software to use these techniques. After public pressure, Symantec and other anti-virus vendors included detection for the rootkit in their products as well, and Microsoft announced it would include detection and removal capabilities in its security patches. Russinovich discovered numerous problems with XCP: * It creates security holes that can be exploited by malicious software such as worms or viruses. * It constantly runs in the background and excessively consumes system resources, slowing down the user's computer, regardless of whether there is a protected CD playing. * It employs unsafe procedures to start and stop, which could lead to system crashes. * It has no uninstaller, and is installed in such a way that inexpert attempts to uninstall it can lead to the operating system to fail to recognize existing drives. Soon after Russinovich's first post, there were several trojans and worms exploiting XCP's security holes. Some people even used the vulnerabilities to cheat in online games. Sony BMG quickly released software to remove the rootkit component of XCP from affected Microsoft Windows computers, but after Russinovich analyzed the utility, he reported in his blog that it only exacerbated the security problems and raised further concerns about privacy. Russinovich noted that the removal program merely unmasked the hidden files installed by the rootkit, but did not actually remove the rootkit. He also reported that it installed additional software that could not be uninstalled. In order to download the uninstaller, he found it was necessary to provide an e-mail address (which the Sony BMG Privacy Policy implied was added to various bulk e-mail lists), and to install an ActiveX control containing backdoor methods (marked as "safe for scripting", and thus prone to exploits). On November 18, 2005, Sony BMG provided a "new and improved" removal tool to remove the rootkit component of XCP from affected Microsoft Windows computers called MediaMax. Legal and financial problems Product recall On November 15, 2005 vnunet.com announced that Sony BMG was backing out of its copy-protection software, recalling unsold CDs from all stores, and offering consumers to exchange their CDs with versions lacking the software. Sony BMG was quoted as maintaining that "there were no security risks associated with the anti-piracy technology", despite numerous virus and malware reports. On November 16, 2005, US-CERT, part of the United States Department of Homeland Security, issued an advisory on XCP DRM. They said that XCP uses rootkit technology to hide certain files from the computer user, and that this technique is a security threat to computer users. They also said one of the uninstallation options provided by Sony BMG introduces further vulnerabilities to a system. US-CERT advised, "Do not install software from sources that you do not expect to contain software, such as an audio CD. On November 18, 2005 Reuters reported that Sony BMG would exchange affected insecure CDs for new unprotected disks as well as unprotected MP3 files. On November 29 then New York Attorney General Eliot Spitzer found through his investigators that, despite the recall of November 15, Sony BMG CDs with XCP were still for sale in New York City music retail outlets. Spitzer said "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year, and I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony. As of May 11, 2006 Sony BMG's website offered consumers a link to "Class Action Settlement Information Regarding XCP And MediaMax Content Protection. It has online claim filing and links to software updates/uninstallers. The deadline for submitting a claim was June 30, 2007. As of April 2, 2008 Sony BMG's website finally offered consumers their explanation and list of affected CDs. Copyright infringement Researchers found that Sony BMG and the makers of XCP also apparently infringed copyright by failing to adhere to the licensing requirements of various pieces of free and open-source software whose code was used in the program, including the LAME MP3 encoder, mpglib, FAAC, id3lib, mpg123 and the VLC media player. In January 2006, the developers of LAME posted an open letter stating that they expected "appropriate action" by Sony BMG, but that the developers had no plans to investigate or take action over the apparent violation of LAME's source code license. In November 7, 2005 article, vnunet.com summarised Russinovich's findings, and urged consumers to avoid buying Sony BMG music CDs for the time being. The following day, The Boston Globe classified the software as spyware and Computer Associates' eTrust Security Management unit VP Steve Curry confirmed that it communicates personal information from consumers' computers to Sony BMG (namely the CD being played and the user's IP address). The methods used by the software to avoid detection were likened to those used by data thieves. On November 8, 2005, Computer Associates decided to classify Sony BMG's software as "spyware" and provide tools for its removal. Speaking about Sony BMG suspending the use of XCP, independent researcher Mark Russinovich said, "This is a step they should have taken immediately. The first virus which made use of Sony BMG's stealth technology to make malicious files invisible to both the user and anti-virus programs surfaced on November 10, 2005. One day later Yahoo! News announced that Sony BMG had suspended further distribution of the controversial technology. On December 6, 2005, Sony BMG said that 5.7 million CDs spanning 27 titles were shipped with MediaMax 5 software. The company announced the availability of a new software patch to prevent a potential security breach in consumers' computers. Sony BMG in Australia released a press release indicating that no Sony BMG titles manufactured in Australia have copy protection. Sources *"Sony Music CDs Under Fire from Privacy Advocates", National Public Radio, 2005-11-04 *Bergstein, Brian (2005-11-18). "Copy protection an experiment in progress"[dead link]. Seattlepi.com. *Halderman, J. Alex, and Felten, Edward. "Lessons from the Sony CD DRM Episode" (PDF format), Center for Information Technology Policy, Department of Computer Science, Princeton University, 2006-02-14. *Wikinews: Sony's DRM protected CDs install Windows rootkits *Gartner: Sony BMG DRM a Public-Relations and Technology Failure *Bush Administration to Sony: It's your intellectual property -- it's not your computer - 2005-11-12 MP3 Newswire article Category:Rootkit Category:Win32 rootkit Category:Microsoft Windows